Tutorial: Flexible flow export via socketSink

Contents

This example is prepared for Unix systems (Linux and Mac) only. In order to assure that no old or unnecessary plugins are being loaded please clean your plugin directory by

$ t2build -e
Plugin folder emptied
$

Unlike netflowSink the socketSink plugin exports all plugin output, as it appears in any Sink plugin in binary, text or JSON. So compile all standard plugins for the beginning and remove txtSink, as we do not need it to duplicate output and add unnecessary delays.

$ t2build
...
BUILD SUCCESSFUL
$ t2build -u txtSink
...
$

The anonymized sample PCAP being used here, can be downloaded here: faf-exercise.pcap. Please extract it under your data folder.

The default address to log is the local interface, if you want to log remotely change the address in SERVADD. To be faster and compatible with the netflowSink experiment we choose UDP socket. All else we leave at the default values. Then recompile the plugin.